2025-06-03 20:31:13
GitHub_M
PUBLISHED
DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566s patch exists in versions prior to 2.10.10. In a malicious payload, `getUrlType()` retrieves `hostName`. Since the judgment statement returns false, it will not enter the if statement and will not be filtered. The payload can be directly concatenated at the replace location to construct a malicious JDBC statement. Version 2.10.10 contains a patch for the issue.